I didn't expect this to happen nearly this soon. What it means to me is that I can replace a locked cabinet @ colo with EC2, and not have PCI throw a rod if backups are stored on S3 (assuming suitable key management).
What it doesn't help is the dual control and change control issues. I'd love to know how small startups deal with the dual control issue. Ultimately there's going to be a sysadmin somewhere who can read memory, and once that happens, it's single control. Though, not having access to the physical hardware on EC2 makes it a bit more secure from the sysadmin.
You seem to assert that almost every startup that accepts credit cards is not PCI compliant, and further, operates on an environment which at times in the past has been known to be moderately insecure (e.g. hypervisor attacks). That's a pretty bold claim. Do you have any evidence to back it up? (e.g. name companies which are knowingly operating without PCI compliance when they're required to have it)
I'm saying every startup that hosts their checkout pages in the cloud is - by definition - in violation. If you know a startup that accepts credit cards and doesn't have the secure server that accepts the credit card input on a rack somewhere - whether in their office, in their apartment, in a colo, or whatever - then that startup is, by definition, not PCI compliant.
There is a simple and easy way to get into compliance without moving your host - use hosted payment pages. PayPal, Recurly, Braintree, and the other top-tier providers all have hosted payment pages.
Every startup I have been employed by or consulted for w/r/t payments either has a physical box or uses hosted payment pages.
Right, so do you know of any that are in violation?
I know of a bunch of startups that use a hosted page (e.g. Paypal, Google Checkout, authorize.net SIM, whatever), and a bunch of startups that host their main site in the cloud but have a physical server for accepting CCs, but I don't know of any that accept CCs directly on a VM. I'd be pretty surprised to hear about it.
Note that though it is now possible to be PCIDSS certified on AWS it doesn't mean that every AWS app is certified. You need to get your own software audited regularly.
